FTC Sues Hotel Operator Wyndham Worldwide Over Data Breaches 6/26/12
Summary by Ryne Stone
Wyndham Worldwide, a hotel chain, is being sued along with three of its subsidiaries by the Federal Trade Commission for security failures that resulted in three data breaches in less than two years. “According to the FTC, those failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud losses and the theft of hundreds of thousands of consumer payment card account details to an Internet domain address registered in Russia”. The FTC says that Wyndham and its subsidiaries did not have controls in place such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network. Also improper software configurations led to the storage of sensitive payment card information in clear readable text.
The FTC says that April 2008 is when the first breach happened, where hackers in Arizona were able to gain access to a Wyndham hotel’s local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. The hackers were able to get access to the corporate network and property management system servers and with this were able to install malware and access company files. The second attack which was similar to the first happened in March 2009, where on top of the memory- scrapping malware, “they also reconfigured software at the Wyndham hotels to obtain clear text files with the payment card account numbers of guests. The intruders were able to access data at 39 Wyndham hotels in this incident and obtain payment card information on 50,000 consumers”. Lastly, the final attack came later in 2009, where a similar attack to the first two occurred and the attackers got away with information on about 69,000 consumer payment card accounts.
Cybercriminals Using 'Lego' Approach to Crime Kit Development 6/26/12
Summary by Ryne Stone
Research has come out showing that some criminals like to build things from scratch, taking a “Lego-type of approach to crime kit development”. The development and sale of custom malware that is designed to harvest banking data is where this type of approach is found. The research, which is expanding on previous data collected by Trend Micro, has been done by Trusteer which is a security firm. Trend originally reported that “Automatic Transfer System development has become a booming turn-key business for many crime kit developers”. This turned out to be only a small part of the overall scheme, when Trusteer started reporting that “malware developers are offering individual mix-and-match features to criminals looking to make a fast buck”. In the past crime kits were sold with malware-based pricing, by the bulk for lower costs or regional price breaks. The way they are pricing it now “charges for webinjects based on the specific features requested and user information they are designed to steal”. These products for example could capture the victim’s bank balance information and send it off to a command and control server. So, in summary the criminals these days are no longer tied down by specific instructions but can now “specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud”.
6/26/12
Summary by Ryne Stone
Wyndham Worldwide, a hotel chain, is being sued along with three of its subsidiaries by the Federal Trade Commission for security failures that resulted in three data breaches in less than two years. “According to the FTC, those failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud losses and the theft of hundreds of thousands of consumer payment card account details to an Internet domain address registered in Russia”. The FTC says that Wyndham and its subsidiaries did not have controls in place such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network. Also improper software configurations led to the storage of sensitive payment card information in clear readable text.
The FTC says that April 2008 is when the first breach happened, where hackers in Arizona were able to gain access to a Wyndham hotel’s local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. The hackers were able to get access to the corporate network and property management system servers and with this were able to install malware and access company files. The second attack which was similar to the first happened in March 2009, where on top of the memory- scrapping malware, “they also reconfigured software at the Wyndham hotels to obtain clear text files with the payment card account numbers of guests. The intruders were able to access data at 39 Wyndham hotels in this incident and obtain payment card information on 50,000 consumers”. Lastly, the final attack came later in 2009, where a similar attack to the first two occurred and the attackers got away with information on about 69,000 consumer payment card accounts.
Cybercriminals Using 'Lego' Approach to Crime Kit Development
6/26/12
Summary by Ryne Stone
Research has come out showing that some criminals like to build things from scratch, taking a “Lego-type of approach to crime kit development”. The development and sale of custom malware that is designed to harvest banking data is where this type of approach is found. The research, which is expanding on previous data collected by Trend Micro, has been done by Trusteer which is a security firm. Trend originally reported that “Automatic Transfer System development has become a booming turn-key business for many crime kit developers”. This turned out to be only a small part of the overall scheme, when Trusteer started reporting that “malware developers are offering individual mix-and-match features to criminals looking to make a fast buck”. In the past crime kits were sold with malware-based pricing, by the bulk for lower costs or regional price breaks. The way they are pricing it now “charges for webinjects based on the specific features requested and user information they are designed to steal”. These products for example could capture the victim’s bank balance information and send it off to a command and control server. So, in summary the criminals these days are no longer tied down by specific instructions but can now “specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud”.
45/50